ClawHub

Contract Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a local contract-review helper that reads user-chosen contract text files and prints analysis results, with privacy caveats but no evidence of hidden collection, persistence, or unsafe execution.

Install only if you are comfortable running local scripts on contract files you explicitly choose. Do not use it in shared terminals, CI logs, recorded sessions, or chat transcripts with confidential agreements unless that output is acceptable. The publisher should correct the unrelated crypto and purchase capability tags and add a clearer sensitive-data warning, but the artifacts reviewed do not show malicious behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill exposes executable commands and implicitly requires reading files and possibly environment data, but it declares no permissions or trust boundaries. This can lead to unintended access to sensitive contract files or environment-backed secrets because users and the platform are not given an explicit capability model to review or constrain.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger list contains broad phrases like 'contract summary' and especially 'analyze contract,' which may match generic user requests and invoke the skill outside a clearly scoped contract-review workflow. Overbroad activation can cause accidental processing of sensitive legal documents or unexpected execution of local scripts when the user did not intend to use this specific skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill prints extracted obligations, dates, parties, and other contract-derived details directly to stdout, which can expose sensitive contractual information in logs, terminal history, chat transcripts, or downstream tool captures. In a contract-analysis skill, the input is highly likely to contain confidential business terms and personal data, so echoing excerpts without an explicit privacy warning or redaction control increases the risk of unintended disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal